Richard Bejtlich writes about fraud, waste, and abuse (FWA) being beyond the purview of network security monitoring. I tend to agree, but the situation, as Bejtlich notes, isn't clear cut.

It is important to keep in mind that part of the reason organizations fund information security departments is to help with fraud, waste, and abuse as well as "sexier" problems such as espionage, theft, and destruction. As I've written previously, information security should focus on preventing and detecting unauthorized access. When fraud, waste, or abuse is carried out by gaining and exploiting unauthorized access, then the organization should rightfully expect the security monitoring team to detect it and alert the incident response or investigation team.

However, detecting FWA carried out by folks using authorized access in inappropriate ways is typically beyond the capabilities of most security monitoring teams. Expecting your monitoring team to detect improper entries in an expense report is rather unreasonable.

The idea is that if both of those conditions hold, then an attacker might be able to create new membership requests that end up linked to already existing accounts. The attacker can then use his "new" account to access stored sensitive information.

The particular scenario Rsnake outlines involves using cross-site request forgeries to delete an account and then hijack it, but the fundamental issues are as described above. There are a few good points to discuss about this issue.

Houston's police chief suggests that cameras should be placed in homes to help fight crime. I first saw this story in Slashdot, and couldn't imagine anyone taking the idea seriously. Schneier then commented on the story, and in reference to the chief's statement that "if you are not doing anything wrong, why should you worry about it?" he notes:

One of the problems we have in the privacy community is that we don't have a crisp answer to that question. Any suggestions?

My response: If I'm not doing anything wrong, then why do you need to spy on me?

Dedication

My grandfather had a wonderful shop in his basement. To me, it was a place of mystery and fascination, and I would spend hours wandering through it, looking at all the tools and projects in various states of completion. Not being much of a wood worker, I've never had the need for such a shop (not to mention that I lack a basement), but recently it occurs to me that my gear, computers, and software are my shop. This site is for my late grandfather and everyone else who takes personal pride in carefully executed work.